From 6fb6b064c521b432e50d4811d701b8368913990b Mon Sep 17 00:00:00 2001 From: Gabriele Bartolini Date: Mon, 16 Feb 2026 10:32:45 +1100 Subject: [PATCH 1/4] feat: allow per-extension license metadata This change introduces a `licenses` field to the metadata schema, allowing each extension to define its own SPDX license identifier. The `docker-bake.hcl` has been updated to use this metadata for OCI labels and annotations instead of a hardcoded "Apache-2.0" string. This enables proper legal transparency for extensions with different, yet compatible, licensing requirements, such as PostGIS (`GPL-2.0-only`). Changes: - Added `licenses` field to metadata.hcl template - Updated docker-bake.hcl to reference `${metadata.licenses}` - Updated `metadata.hcl` for the existing extensions Closes #110 Signed-off-by: Gabriele Bartolini --- docker-bake.hcl | 4 ++-- pgaudit/metadata.hcl | 1 + pgvector/metadata.hcl | 1 + postgis/metadata.hcl | 1 + templates/metadata.hcl.tmpl | 6 ++++++ 5 files changed, 11 insertions(+), 2 deletions(-) diff --git a/docker-bake.hcl b/docker-bake.hcl index 738268d..fa66d20 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -74,7 +74,7 @@ target "default" { "index,manifest:org.opencontainers.image.description=A ${metadata.name} ${getExtensionVersion(distro, pgVersion)} container image for PostgreSQL ${pgVersion} on ${distro}", "index,manifest:org.opencontainers.image.documentation=${url}", "index,manifest:org.opencontainers.image.authors=${authors}", - "index,manifest:org.opencontainers.image.licenses=Apache-2.0", + "index,manifest:org.opencontainers.image.licenses=${metadata.licenses}", "index,manifest:org.opencontainers.image.base.name=scratch", "index,manifest:io.cloudnativepg.image.base.name=${getBaseImage(distro, pgVersion)}", "index,manifest:io.cloudnativepg.image.base.pgmajor=${pgVersion}", @@ -91,7 +91,7 @@ target "default" { "org.opencontainers.image.description" = "A ${metadata.name} ${getExtensionVersion(distro, pgVersion)} container image for PostgreSQL ${pgVersion} on ${distro}", "org.opencontainers.image.documentation" = "${url}", "org.opencontainers.image.authors" = "${authors}", - "org.opencontainers.image.licenses" = "Apache-2.0", + "org.opencontainers.image.licenses" = "${metadata.licenses}", "org.opencontainers.image.base.name" = "scratch", "io.cloudnativepg.image.base.name" = "${getBaseImage(distro, pgVersion)}", "io.cloudnativepg.image.base.pgmajor" = "${pgVersion}", diff --git a/pgaudit/metadata.hcl b/pgaudit/metadata.hcl index 35a4670..132af0d 100644 --- a/pgaudit/metadata.hcl +++ b/pgaudit/metadata.hcl @@ -2,6 +2,7 @@ metadata = { name = "pgaudit" sql_name = "pgaudit" image_name = "pgaudit" + licenses = "PostgreSQL" shared_preload_libraries = ["pgaudit"] extension_control_path = [] dynamic_library_path = [] diff --git a/pgvector/metadata.hcl b/pgvector/metadata.hcl index afb37f3..a170751 100644 --- a/pgvector/metadata.hcl +++ b/pgvector/metadata.hcl @@ -2,6 +2,7 @@ metadata = { name = "pgvector" sql_name = "vector" image_name = "pgvector" + licenses = "PostgreSQL" shared_preload_libraries = [] extension_control_path = [] dynamic_library_path = [] diff --git a/postgis/metadata.hcl b/postgis/metadata.hcl index 0f555fb..e2dd5ef 100644 --- a/postgis/metadata.hcl +++ b/postgis/metadata.hcl @@ -2,6 +2,7 @@ metadata = { name = "postgis" sql_name = "postgis" image_name = "postgis-extension" + licenses = "GPL-2.0-or-later AND Apache-2.0 AND MIT AND LGPL-2.1-only AND LGPL-3.0-or-later" shared_preload_libraries = [] extension_control_path = [] dynamic_library_path = [] diff --git a/templates/metadata.hcl.tmpl b/templates/metadata.hcl.tmpl index e34eaf3..5650501 100644 --- a/templates/metadata.hcl.tmpl +++ b/templates/metadata.hcl.tmpl @@ -9,6 +9,12 @@ metadata = { # it identifies the image (e.g. ghcr.io/cloudnative-pg/) image_name = "{{ .Name }}" + # TODO: Remove this comment block after customizing the file. + # `licenses`: The SPDX license identifier for the extension software. + # Examples: "Apache-2.0", "PostgreSQL", "GPL-2.0-only". + # See: https://spdx.org/licenses/ + licenses = "Apache-2.0" + # TODO: Remove this comment block after customizing the file. # `shared_preload_libraries`: list libraries to be added to # `shared_preload_libraries` in Postgres. Usually empty. From 7759cef591c6c5a7ae903b4f0945805a96a5d82e Mon Sep 17 00:00:00 2001 From: Gabriele Bartolini Date: Mon, 16 Feb 2026 10:56:00 +1100 Subject: [PATCH 2/4] fix: cosmetic change Signed-off-by: Gabriele Bartolini --- templates/metadata.hcl.tmpl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/metadata.hcl.tmpl b/templates/metadata.hcl.tmpl index 5650501..a916e7c 100644 --- a/templates/metadata.hcl.tmpl +++ b/templates/metadata.hcl.tmpl @@ -10,7 +10,7 @@ metadata = { image_name = "{{ .Name }}" # TODO: Remove this comment block after customizing the file. - # `licenses`: The SPDX license identifier for the extension software. + # `licenses`: The SPDX license identifier(s) for the extension software. # Examples: "Apache-2.0", "PostgreSQL", "GPL-2.0-only". # See: https://spdx.org/licenses/ licenses = "Apache-2.0" From c619e6a497fa5c24a65735b5d79c0bfc19e365ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Niccol=C3=B2=20Fei?= Date: Wed, 18 Feb 2026 15:58:05 +0100 Subject: [PATCH 3/4] docs: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Niccolò Fei --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d45e7bd..14ea56e 100644 --- a/README.md +++ b/README.md @@ -147,7 +147,7 @@ annotations as defined by the [OCI Image Format Specification](https://github.co | `org.opencontainers.image.title` | Human-readable image title | | `org.opencontainers.image.description` | Image description | | `org.opencontainers.image.source` | Source repository URL | -| `org.opencontainers.image.licenses` | License identifier (Apache-2.0) | +| `org.opencontainers.image.licenses` | License identifier | You can inspect these labels using container tools: From cf10bd3911b601fb34217c3fe6e29fc7f2c0e993 Mon Sep 17 00:00:00 2001 From: Gabriele Bartolini Date: Thu, 19 Feb 2026 17:25:56 +1100 Subject: [PATCH 4/4] chore: updated the list of licenses in PostGIS I have used trivy to provide that list Signed-off-by: Gabriele Bartolini --- postgis/metadata.hcl | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/postgis/metadata.hcl b/postgis/metadata.hcl index e2dd5ef..ecaabce 100644 --- a/postgis/metadata.hcl +++ b/postgis/metadata.hcl @@ -2,7 +2,16 @@ metadata = { name = "postgis" sql_name = "postgis" image_name = "postgis-extension" - licenses = "GPL-2.0-or-later AND Apache-2.0 AND MIT AND LGPL-2.1-only AND LGPL-3.0-or-later" + licenses = <<-EOT + Apache-2.0 AND blessing AND BSD-2-Clause AND BSD-3-Clause AND + BSD-3-Clause-Clear AND BSD-3-Clause-LBNL AND BSD-4-Clause-UC AND + BSL-1.0 AND CC-BY-3.0 AND CC-BY-4.0 AND CC-BY-SA-3.0 AND cURL AND + FTL AND GPL-2.0 AND GPL-3.0 AND HDF5 AND HPND-sell-variant AND + IJG AND Info-ZIP AND ISC AND LGPL-2.1 AND Libpng AND libtiff AND + MIT AND MIT-Modern-Variant AND MPL-1.1 AND OpenLDAP-2.8 AND + PostgreSQL AND Spencer-86 AND SPL-1.0 AND Unicode-DFS-2015 AND + Unlicense AND X11 AND Zlib + EOT shared_preload_libraries = [] extension_control_path = [] dynamic_library_path = []